(19) 



J 



Europdisches Patentamt 
European Patent Office 
Office europ^en des brevets 



(12) 



(11) EP 0 800 135 A1 

EUROPEAN PATENT APPLICATION 



(43) 


Date of publication: 


(51) intciA G06F 11/00 




08.10.1997 Bulletin 1997/41 


(21) 


Application number: 97301605.8 




(22) 


Date of filing: 11.03.1997 




(84) 


Designated Contracting States: 


• Robb, David 




BE DE FR GB IT NL SE 


Kirkcaldy, KY2 5UL (GB) 






• Killean, Reginald 


(30) 


Priority: 13.03.1996 GB 9605338 


Burntisland, KY3 9HZ(GB) 


(71) 


Applicant: Arendee Limited 


(74) Representative: Ede, Eric et al 




Edinburgh EH1 2ET (GB) 


FItzpatrlcks, 






4 West Regent Street 


(72) 


Inventors: 


Glasgow Q2 IRS (GB) 


• 


White, Norman Jackson 






Kinross, KY13 7AZ(QB) 





CO 

o 
o 

00 

o 
Q. 

m 



(54) Method and apparatus for controlling access to and corruption of information In computier 
systems 

(57) There is disclosed a method and apparatus for 
controlling access to and corruption of information in a 
computer system. In known "PC Virus' protection meth- 
ods the boot partition becomes "Read Only" when the 
system is in Supervised Mode. However, Microsoft Win- 
dows, although not strictly self-modifying, does require 
that certain files located within the Windows directory, 
can be written to. Accordingly the present invention pro- 
vides a method of controlling access to and modification 
of information stored on a storage medium forming part 
of a computer system comprising: dividing Information 
stored on the storage medium into a plurality of non- 
overlapping partitions including a boot partition and at 
least one general partition, characterised by: designat- 
ing at least one of said partitions a Write Many Recov- 
erable (WMR) partition wherein, in use, if a write com- 
mand is issued to ovenwrite any resident information 
stored in a/the WMR partition by updating information is 
written on the storage medium in a location other than 
where the resident Information is stored and a (virtual) 
pointer to the updated information is set up/kept so that 
the updated information can be accessed, as required 
during a remainder of a session. 
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Description 

Background of the Invention 

The present invention relates to a method and ap- s 
paratus tor controlling access to and corruption of infor- 
mation in a computer system. 

PCT/GB91/00261 (WO91/13403) also by the 
present inventors (the content of which is incorporated 
herein by reference) discloses a method and apparatus 
particularly concerned with the detection and contain- 
ment of hostile programs such as "virus" programs with- 
in computer systems. In this document there is dis- 
closed a method of (and related apparatus for) control- 
ling access to and modification of information stored on 
a storage medium forming part of a computer system 
comprising: 

dividing infomnation stored on the storage medium 
into a plurality of non-overlapping partitions, includ- 
ing a boot partition and a plurality of general parti- 
tions, each of the partitions being further divided in- 
to a plurality of sectors, any designated subset of 
the general partitions being active at any given time 
when the computer system is in use, characterised 
by 

providing supervising means (a Supervisor) sepa- 
rate of a central processing unit (CPU) of the com- 
puter system and made inaccessible to the user for 
controlling the performance of read, write and for- 
mat operations upon the information stored on the 
storage medium so as to allow, restrict or prevent 
such operations depending upon the type of infor- 
mation stored within a sector and type and status 
of the partition within which the sector is located, 
the supervising means causing a reset to be re- 
quired of the computer system should an attempt 
be made to perform a prohibited read, write or for- 
mat operation, said reset causing memory to be 
cleared and the operating system to be loaded. 

In the invention disclosed in PCT/GB91/00261 the 
boot partition becomes "Read Only" when the system is 
in Supervised Mode. This prevents attack by a virus, 
whilst allowing execution of DOS utilities and programs 
providing they are not self-modifying. 

Since the conception of virus isolation according to 
PCT/GB91/00261 there have been changes and im- 
provements to PC operating systems. These present 
certain limitations to the scope of the virus isolator in- 
vention. For example: 

(1) Microsoft Windows, although not strictly self- 
modifying, does require that certain flies located 
within the Windows directory, can be written to. 

(2) A system administrator may install an executa- 
ble in the boot partition without knowing it is self- 
modifying. If such an executable is installed in the 



boot partition self-modification of this program is at- 
tempted when the system is in Supervised Mode, 
the Supervisor will block the write attempt and 
freeze the system. 

(3) Microsoft Windows virtual memory manager 
may require write access to either or both the Win- 
dows directory and the root directory of the boot par- 
tition. 

(4) Network software may require access to the 
boot partition. 

(5) In general, with a complex operating system, 
making the boot partition 'Read Only' is restrictive 
and may cause incompatibility and high administra- 
tion overhead. 

It is an object of the present invention to obviate or 
mitigate the aforementioned problems. 

Summary of the Invention 

According to a first aspect of the present invention 
there is provided a method of controlling access to and 
modification of Information stored on a storage medium 
forming part of a computer system comprising: 

dividing information stored on the storage medium 
into a plurality of non-overlapping partitions includ- 
ing a boot partition and at least one general parti- 
tion, characterised by 

designating at least one of said partitions a Write 
Many Recoverable (WMR) partition wherein, in use, 
if a write command is issued to overwrite any resi- 
dent information stored in a/the WMR partition by 
updated information the updated information is writ- 
ten on the storage medium in a location other than 
where the/any resident information is stored and a 
(virtual) pointer to the updated information is set up/ 
kept so that the updated information can be ac- 
cessed, as required during a remainder of a ses- 
sion. 

A system reset causes the updated information, to- 
gether with the list of pointers to this information, to be 
cleared. This returns the WMR partition to it's original 
state as configured in Unsupervised Mode. 

Providing such a WMR partition is virus-free to start 
with it will be virus-free at the start of each new session. 

Preferably a boot partition on the storage medium 
would be WMR protected. A general partition could also 
be WMR protected should a user require it. 

The basis of the method according to the first aspect 
of the present invention to achieve this is to set up a 
scheme in which the original information stored in the 
WMR partition is keep unaltered and that datawhich 
would normally ovenA/rite it is stored securely elsewhere 
on the storage medium where it can be accessed as re- 
quired during the remainder of a session. The scheme 
defines how this is done efficiently in terms of minimal 
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addrtional storage space and minimal reduction in 
throughput time while at the same time providing maxi- 
mum security. 

Preferably according to the method of the first as- 
pect of the present invention there is also provided su- 
pen/ising means (a Supen^isor) separate of a central 
processing unit (CPU) of the computer system and 
made inaccessible to the user, 

said supervising means allowing/restricting/ prohib- 
iting read/write operations uopon the storage medi- 
um depending upon whether information to be read 
from a sector or written to a sector Is operating sys- 
tem information or user information, whether the 
sector is in the boot partition or in a general partition, 
and whether the partition Is active or inactive, 
said supervising means also allowing a format op- 
eration only on a general partition which is active 
and prohibiting a format operation on the boot par- 
tition or on a general partition which is inactive, 
and causing a warning to be issued to the user 
should an attempt be made to perform a prohibited 
read, write or format operation. 

Preferably, space is reserved on the storage medi- 
um which may be accessed only by the Supervisor, re- 
ferred to as the dedicated area 2. The dedicated area 
may be a special partition, a range of sectors within the 
WMR partition, or unallocated sectors withing a dormant 
partition. 

Each WMR partition has a Sector Relocation Table 
(SRT) associated with it which table is held in Supen/isor 
RAM, each entry in a SRT defining the address of a 
range of sectors in the WMR partition that have been 
updated and the address where the updated information 
is located, this location being within the dedicated area. 

According to a second aspect of the present inven- 
tion there is provided an apparatus for controlling ac- 
cess to and modification of information stored on a stor- 
age medium of a computer system, the storage medium 
being divided into a plurality of non-overlapping parti- 
tions including a boot partition and at least one general 
partition, characterised in that 

at least one of said partitions comprises a Write 
Many Recoverable (WMR) partition wherein, in use, if a 
write command is issued to ovenA^rite (ie, update) any 
information stored in the WMR partition the updated in- 
formation is stored elsewhere on the storage medium 
and a pointer to this information kept so the information 
can be accessed as required during the remainder of 
the session, wherein a system reset causes the updated 
information, together with the list of pointers to this in- 
formation, to be cleared, thus returing the WMR partition 
to its original state as configured in Unsupervised Mode. 

Preferably the apparatus further comprises a super- 
vising means (a Supen/isor) separate of a central 
processing unit (CPU) of the computer system and 
made inaccessible to the user. 



said supen/ising means allowing/restricting/ prohib- 
iting read/write operations upon the storage medi- 
um depending upon whether information to be read 
from a sector or written to a sector is operating sys- 
5 tem information or user infomnation, whether the 
sector is in the boot partition or in a general partition 
and whether if the partition is a general partition the 
partition is active or inactive, 
said supervising means also allowing a format op- 
10 eration only on a general partition which i8s active 
and prohibiting a format operation on the boot par- 
tition or on a general partition which is inactive, 
the supervising means causes a warning to be is- 
sued to the user should an attempt be made to per- 
is form a prohibited read, write or format operation 
said operation being prevented by the Supervisor. 

According to a third aspect of the present invention 
there is provided a method of controlling access to and 
20 modification of information stored on a storage medium 
forming part of a computer system comprising: 

dividing information stored on the storage medium 
into a plurality of non-overlapping partitions includ- 
25 ing a boot partition and at>least one general parti- 
tion, characterised by 

designating at least one of said partitions a Write 
Many Recoverable (WMR) partition wherein, in use, 
if a write command is issued to overwrite any infor- 
30 mation stored in a/the WMR partition prior to under- 
taking said write command said infomnation is cop- 
ied and stored elsewhere on the storage medium to 
be copied back to said WMR partition when re- 
quired - for example upon a system reset. 

35 

It is apparent that according to the third aspect of 
the present invention a previously 'Read Only" partition, 
such as the boot partition, is permitted to be written to 
without limit during a session. At the start of a new ses- 

40 sion, however, all changes to the partition are undone 
and the partition is restored to its original state. This par- 
tition may, therefore, be called a Write Many Recovera- 
ble (WMR) partition. Provided such a partition is virus- 
free to start with it will be virus-free at the start of each 

45 new session. 

The basis of the method of the third aspect of the 
present invention to achieve this is to set up a scheme 
in which a copy of any "cluster" in the WMR partition that 
is to be over-written is stored securely elsewhere on the 

so storage medium and can be copied back when required. 
The scheme defines how this is done efficiently in terms 
of minimal additional storage space and minimal reduc- 
tion in throughput time while at the same time providing 
maximum security. 

55 Preferably according to the method of the third as- 
pect of the present invention there is also provided su^ 
pervising means (a Supervisor) separate of a central 
processing unit (CPU) of the computer system for con- 
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trolling the performance of read, write and format oper- 
ations upon the information stored on the storage me- 
dium so as to allow, restrict or prevent such operations 
depending upon the type of information stored within a 
sector and type and status of the partition within which s 
the sector Is located, 

the supervising means causing a reset to be re- 
quired of the computer system should an attempt be 
made to perform a prohibited read, write or format op- 
eration, said reset causing memory to be cleared and 
the operating system to be loaded. 

Preferably, the storage medium provides a special 
partition (Virus Isolation Space), each WMR partition 
having a File Allocation Table (FAT) allocated to It which 
table Is held in said special partition, each entry in a FAT 
defining the address of a cluster that has been altered 
in the WMR partition and the address of the copy of the 
information originally held In said cluster. 

The Information originally held in said cluster may 
be copied to the special partition. 

Alternatively, the information originally held in said 
cluster may be copied to an inactive partition. 

Accordingtoafourth aspect of the present invention 
there is provided an apparatus for controlling access to 
and modification of information stored on a storage me- 
dium of a computer system, the storage medium being 
divided into a plurality of non-overlapping partitions in- 
cluding a boot partition and at least one general parti- 
tion, characterised In that 

at least one of said partitions comprises a Write 
Many Recoverable (WMR) partition wherein, in use, if a 
write command Is issued to ovenwrite any information 
stored in a/the WMR partition prior to undertaking said 
write command said information is copied and stored 
elsewhere on the storage medium to be copied back to 
said WMR partition when required - for example upon a 
system reset. 

Preferably the apparatus further comprises a super- 
vising means (a Supervisor) separate of a central 
processing unit (CPU) of the computer system for con- 
trolling the perfornnance ot read, write or format opera- 
tions stored on the storage medium so as to allow, re- 
strict or prevent such operations depending upon the 
type of information stored within a sector and the type 
and status of the partition within which the sector is lo- 
cated wherein, in use. the supervising means causes a 
reset to be required of the computer system should an 
attempt be made to perform a prohibited read, write or 
fomnat operation. 

According to any of the foregoing method aspects 
of the present invention read operations may be allowed 
on any Information in the boot partition, but an attempt 
to write or format the boot partition may cause a system 
reset. 

Further, boot sectors of the storage medium may be 
considered to be part of the boot partition, irrespective 
of the position of the starting sector of the boot partition 
as may be defined by the storage medium operating 



system. 

Also, reading of any operating system information 
sectors or user-generated information sectors in an ac- 
tive general partition may be allowed, writing to such us- 
er-generated information sectors may be allowed, and 
writing to such operating system information sectors 
may be restricted such that an attempt to modify the size 
or boundaries of the partition causes a system reset. 

Only the reading of information from operating sys- 
tem sectors of inactive general partitions may be al- 
lowed, and an attempt to perform any other read, write 
or format operations on such partitions may be either 
denied or causes a system reset. 

The restriction or prevention of the performance of 
read, write and format operations can be removed to al- 
low set-up or maintenance of the storage medium and 
thereafter reinstated. 

The storage medium may be selected from any one 
of a hard disk, a floppy disk, an optk^l disk or a tape. 

Alternatively, the storage medium may be a filesav- 
er, and the computer system Is a local area network, and 
which user computer is using whkih partition of the file- 
server may be determined such that an attempt by a us- 
er computer to perform a prohibited operation causes a 
reset to be required of the user computer. 

According to any of the foregoing apparatus as- 
pects of the present invention the apparatus may pro- 
vide hardware means adapted to be incorporated into 
the computer system. 

Alternatively, the apparatus may provide firmware 
means adapted to be incorporated into the computer 
system. 

Alternatively, the apparatus may provide a combi- 
nation of both hardware and firmware means, both be- 
ing adapted to be incorporated into the computer sys- 
tem. 

There may be provided a processor which may be 
nr^de inaccessible to a user and to any virus and which 
supervises all data transfers between and within subdi- 
visions of the storage medium or storage media placed 
under its control. 

Brief Description of the Drawings 

Embodiments of the present invention will now be 
described, by way of example only, with reference to the 
accompanying drawings, which are: 

Fig 1 a schematic diagram showing the division ot a 
storage medium for use in a first embodiment 
of the present invention; 

Fig 2 a flow chart showing the sequence of events 
should the computer system wish to write to a 
Write Many Recoverable (WMR) partition used 
in the embodiment of Fig 1 ; 

Fig 3 a flow chart showing the squence of events 
should a computer system wish to read from a 
Write Many Recoverable (WMR) partition; 
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Fig 4 a schematic diagram showing the division of a 
storage medium for use in the present inven- 
tion; 

Fig 5 a flow chart showing the sequence of events 
should the computer system wish to write to a 
Write Many Recoverable (WMR) partition used 
in the embodiment of Fig 4; 

Fig 6 a schematic block diagram of a hardware ar- 
rangement of a first emobdiment of a Supervi- 
sor for use in the present Invention. 

Fig 7 a schematic block diagram of a hardware ar- 
rangement of a second embodiment of a Su- 
pervisor for use in the present invention; and 

Fig 8 a schematic circuit diagram of an actual em- 
bodiment of the Supervisor of Fig 7. 

Detailed Description of the Embodiments 

The set-up and operation of the present invention 
is best understood by describing the various stages of 
operation involved. The embodiments of the Invention 
hereinafter described beneficially include a Supervisor 
of the type disclosed previously in PCT/GB9 1/00261. 
The contents of PCT/GB91/00261 (WO 91/13403) are, 
therefore, incorporated herein by reference. 

Referring firstly to the first emobidment of Figs 1 and 

2: 

1.1 Initial Connection 

When a storage medium 1 (such as a hard disk) is 
first connected to a computer system (not shown), 
space that will be inaccessible to the user, ie, a dedicat- 
ed area, is reserved on the storage medium 1 . 

A password is entered and stored in either the ded- 
icated area 2 or in Supervisor Flash ROM (Fig 4,13). 
This password is later used to allow the system to be 
put into Unsupervised Mode. 

1.2 Unsupervised Mode 

Entering this mode requires the use of the Unsuper- 
vised Mode password (reference PCT/GB91/00261). 
When the system is in this mode, a default partitioning 
scheme will be offered, although it may be reconfigura- 
ble by the user. 

(a) Typically the default scheme could consist of the 
following partition types: Read Only (RO), Write 
Many Recoverable (WMR) 3, and 'general' 4, A gen- 
eral partition is simply a partition other than an RO 
or WMR partition and one which may be written to. 
Each WMR partition will have a Sector Relocation 
Table (WMR-SRT) associated with it which will be 
held in Supervisor RAM (Fig 4, 14). In use, each en- 
try in the WMR-SRT defines the address of a range 
of sectors which are updates of sectors within a 
WMR partition and includes a pointers to said range 



of updated sectors. Each partition could be allocat- 
ed a default partition type based on general guide- 
lines. For example, Partition C = WMR; Partition D 
= RO; all other partitions = General; partition de- 
s scriptors given by their partition label. 

(b) The user may define a description string for each 
partition, defining its contents. 

(c) The invention will permit the user if he wishes to 
revise (a) and (b) and add partitions, change parti- 

10 tlon boundaries and define the partition type for 
each part Ion. 

1.3. Supervised Mode 

15 (a) It is important to note that when a user powers 
down at the end of a session in Supervised Mode 
the WRM-SRT is discarded, removing all pointers 
to updated sectors. An empty WMR-SRT returns 
the WMR partition to its original state, which reflects 

20 the WMR partition state after the last change made 
when the system was in Unsupervised mode. 

(b) The WMR-SRT is initialised ready for use. 

(c) Partition bounds and number of partitions are 
checked against a table stored in either the dedicat- 
es ed area 2 or In Supervisor Flash ROM (Fig 4, 1 3). If 

during Unsupervised Mode, the user has altered the 
configuration of partitions without re-configuring 
this table, then Supervised Mode may be denied un- 
til this is rectified. Alternatively, the table may be 
30 generated each time the user enters Supervised 
Mode, using a scheme which does not require user 
intervention. 

(d) The user Is prompted to select a partition, for 
normal reading and writing, from the list of general 

55 partitions. This is done prior to any operations of the 
operating system and storage medium 1 . The se- 
lected partition is defined as the 'active partition* and 
the remaining general partitions are defined as 'dor- 
mant' partitions. The active pjartition will continue to 

40 be active until the session Is finished. A new session 
can be started when the user re-enters Supervised 
Mode, through resetting the system thereby clear- 
ing system RAM. 

(e) As a refinement to the above at the start of a 
45 session, a user may be prompted to provide a user- 
name or password which may be compared with da- 
ta in the dedicated area 2. The user may then be 
restricted to a subset of the general partitions from 
which he can select an active partition. 

so (f) The user is given full access to all WMR and RO 
partitions (and of course to the selected active par- 
tition). 

4. Accessing a WMR Partition 

55 

As noted already, a WMR-SRT has been defined 
for each WMR partition 3. and stored In the dedicated 
area 2. 
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(a) During operation of the invention, it may be that 
a range of sectors may require to be updated in the 
WMR partition 3. When this happens, the Supen^i- 
sor (not shown) generates an entry in the WMR- 
SRT which defines the range of sectors that are to s 
be updated and has set a pointer to the location (in 
the dedicated area) where said updated sectors will 

be written. The original, unmodified sectors remain 
in their original location. 

(b) The updated sectors may be stored elsewhere io 
in the storage medium, within the dedicated area. 
This dedicated area may be a special partition. Al- 
ternatively, the dedicated area could be located 
dedicated area could be located within a dormant 
partition. Since the dormant partitions cannot be ac- is 
cessed by a user during the session it is safe to use 
unallocated sectors which may be released before 

a new session is begun. This is Illustrated in Figure 
1. 

(c) The Supen^isor follows the flow diagram shown 20 
in Figure 2 whenever a request is made to write to 

a WMR partition 3. 

(d) The Supervisor follows the flow diagram shown 
in Figure 3 whenever a request is made to read from 

a Wr^R partition 3. ss 

(e) An alternative scheme for implementing a WMR 
partition is possible where write operations to said 
partition cause the original sectors to be copied to 
a secure location before allowing the write opera- 
tion to complete. At the start of each session the 30 
original sectors are copied back Into their original 
locations within the WMR partition, returning said 
partition to its original state. 

Referring now to the second embodiment to Figs 4 35 
and 5: 

2.1. Initial Connection 

When a storage medium 101 (such as a hard disk) 40 
is first connected to a computer system (not shown), 
space that will be inaccessible to the user is reserved 
on the storage medium 101 . This space is a special par- 
tition and can be called Virus Isolator Space 102. 

A password is entered and stored in Virus Isolation 45 
Space 2. This password Is later used to allow the system 
to be put into Unsupervised Mode. 



2.2 Unsupervised Mode 

This mode requires the use of the Unsupervised 
Mode password (reference PCT/GB91/00261). When 
the system is in this mode, the user can configure both 
the system and the Virus Isolator Space 102. 

(a) The user may define, for each partition, whether 
the partition is to be Read Only (RO) (not shown). 
Write Many Recoverable (WMR) 103, or 'general' 



so 



55 



104. A general partition is simply a partition other 
than an RO or WMR partition and one which may 
be written to. Each WMR partition will have a File 
Allocation Table (WMR-FAT) allocated to it which 
will be held in Virus lsolatk)n Space 102. In use, 
each entry in the WMR-FAT will define the address 
of a cluster that has been altered within a WMR par- 
tition and will include a pointer to a copy of the orig- 
inal unaltered cluster 

(b) The user may define a description string for each 
partition, defining its contents. 

(c) When partitions are added or boundaries al- 
tered, the user may revise (a) and (b). If the user is 
not forced by the system to do this, a default will be 
adopted, such as 'General' status and 'Partition 
104'. 

The exact housekeeping that is required need 
not be defined since the scheme will work without 
the user's intervention, provided certain general 
guidelines are provided. For example, Partition C = 
WMR; all other partitions = general; partition de- 
scriptors given by their drive letter. 

2.3 Supervised Mode 

(a) All WMR partitions 103 are restored to their orig- 
inal state by reference to their WMR-FAT in Virus 
Isolator Space 102. For consistency, this also hap- 
pens when entering Unsupervised Mode. 

Each WMR-FAT entry contains a pointer to (ie 
address of) an altered cluster within the WMR par- 
tition 102 and a pointer to a copy of the original clus- 
ter. Hence, at the start of each session, the following 
procedure is all that is required in order to restore 
the WMR partition 102:-For each WMR-FAT entry: 

Copy original cluster back to its location in the 
WMR partition 102 (copy cluster X to cluster 
'A' as shown in Fig 1); 
- Delete the WMR-FAT. entry. 

(Note: A power cut or system crash during this se- 
quence will not affect the capability to restore the 
original WMR partition although the procedure may 
have to be repeated.) 

(b) The WMR-FAT(s) are initialised ready for use. 

(c) Partition bounds and number of partitions are 
checked against a table stored in Virus Isolator 
Space 102. If during Unsupervised Mode, the user 
has altered the configuration of partitions without re- 
configuring Virus Isolator Space 102, then Super- 
vised Mode may be denied until this is rectified. 

(d) The user is prompted to select a partition, for 
normal reading and vyriting. from the list of general 
partitions. This is done prior to any operations of the 
operating system and storage medium 1 01 . The se- 
lected partition is defined as the 'active partition' and 
the remaining general partitions are defined as 'dor- 
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mant' partitions. The active partition will continue to 
be active until tlie session is finished. A new session 
can be started when the user re-enters Supen/ised 
Mode, through clearing the systenn RAM and reset- 
ting the systenn. 

(e) As a refinement to the above at the start of a 
session, a user may be prompted to provide a user- 
name or password which may be compared with da- 
ta in Virus Isolator Space 102. The user may then 
be restricted to a subset of the general partitions 
from which he can select an active partition. 

(f) The user is given full access to all WMR and RO 
partitions (and of course to the selected active 
partition) . 

4. Accessing a WMR Partition 

As noted already, a WMR-FAT has been defined for 
each WMR partition 103, and stored in Virus Isolator 
Space 102. 

(a) During operation of the invention, it may be that 
a cluster may require to be altered in the WMR par- 
tition 103. When this happens, the Supervisor (not 
shown) generates an entry In the WMR-FAT which 
defines the cluster that is about to be modified and 
has a pointer to a copy of the original. 

(b) The copy of the original cluster may be stored 
elsewhere in the storage medium. For example, it 
could be stored in a dedicated area resented for that 
purpose such as a special partition or an area in 
Virus Isolator Space 102. Alternatively, the original 
cluster could be found temporary space within a 
dormant partition. Since the dormant partitions can- 
not be accessed by a user (and therefore by a virus) 
during the session the original cluster is safe and 
may be released before a new session is begun. 
This is illustrated in Figure 1 . 

(c) The Supervisor follows the flow diagram shown 
in Figure 2 whenever a write request is made to a 
WMR partition 103. 

Referring now to Figure 6 there is illustrated a block 
diagram of a hardware arrangement suitable for imple- 
menting a first embodiment of a Supervisor for use in 
an embodiment of the present invention. The Supervisor 
provides a typical bus interface 7 to a mother board of 
a person computer (PC) or the like, and Read Only 
Memory (ROM) 2 containing an appropriate BIOS (Ba- 
sic Input/Output System) driver to control mode entry at 
the start of each session. 

The Supervisor is designed to reside between the 
disk interface of the PC and the disk drive. The PC con- 
nects to the Supervisor through a ribbon cable 201 from 
the Integrated Device Electronics (IDE) bus of the PC. 
The Supen/isor then connects with a disk drive over a 
second ribbon cable 202 which also behaves as an IDE 
bus. All communication between the PC and the hard 



disk is controlled by the Supervisor. 

The Supervisor hardware includes a microproces- 
sor 216, Read Only Memory (ROM) 21 3, holding a Su- 
pervisor Operating System and a control program, and 
5 Random Access Memory (RAM 21 4), which is a scratch 
memory used to hold parameters and WRM-SRT(s). 

A dual port RAM 210 provides memory which both 
the PC and Supervisor processor can access. The Su- 
pervisor noay use this memory to reflect IDE task regis- 
ters. 

Transceivers 206, 209 and multiplexors 205 allow 
either the PC or the Supen/isor processor to access the 
disk drive. The Supen^isor controls which of these has 
access. Latches 207, 208 allow the Supervisor, which 
has an 8 bit bus, to read and write 1 6 bit values to and 
from the disk drive. 

A logic block 2 1 2 contains a latch which may be writ- 
ten to by the Supen^isor processor. The value of this 
latch is compared with the PC interface upper address 
bus, and the BIOS 211 is only enabled when these 
match. This allows the BIOS to be configured, through 
the Supen/isor, to appear anywhere in the lowest meg- 
abyte of PC address space. 

A logic block 215 maps ROM 213, RAM 214 and 
dual port RAM 210 into the Supervisor processor ad- 
dress space, it also controls the access to latches 207. 
208 and within logic block 212. 

A logic block 204 ensures that control signals that 
pass between the PC and disk drive are correctly buff- 
ered and that they are inhibited when the Supervisor 
processor is connected to the disk drive. 

A logic block 203 ensures that the communication 
between the Pc and the disk drive is under the control 
of the Supervisor. It monitors and controls read and write 
commands to task file registers on the disk drive. The 
Supervisor processor is made aware of critical opera- 
tions which are being attempted and controls whether 
the operation is progressed, prevented or the request 
nnodified. This is implemented by decoding off the PC 
address lines together with read and write control sig- 
nals. Certain read and write attempts cause a Supervi- 
sor processor interrupt to be generated. The Supervisor 
will then act based on the change. Disk drive interrupts 
are also routed first to the Supen/isor processor where 
they can be passed on to the PC as required. 

Inspection of Fig 4 clearly shows that a virus can 
never interfere with the Supen/isor microprocessor 216 
since It is only able to fetch executable code from Its own 
ROM 213. 

A more detailed description of the embodiment of 
the Supervisor shown in Fig 6 is not given herein, as this 
would be within the normal undertaking of a person 
skilled art. 

Referring now to Figure 7 there is illustrated a block 
diagram of a hardware arrangement suitable for imple- 
menting a second embodiment of a Supervisor for use 
in an embodiment of the present invention. The Super- 
visor provides a typical hard disk adaptor card interface 
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310 to a mother board of a person computer (PC) or the 
like, and Read Only Memory (ROM) 312 containing an 
appropriate BIOS (Basis Input/Output System) driver for 
operation of the hard disk. 

The Supen/isor hardware includes a microproces- 
sor 314 and a transceiver 316. which allow the PC re- 
stricted access to a SCSI 318 such that the PC cannot 
directly select or arbitrate for the disk drive or issue com- 
mands over the SCSI interface 318. These operations 
can be performed only by the Supervisor microproces- 
sor 31 4. which communicates bidirectionally with the PC 
using status in/out ports 320 and 322. 

Communication between the microprocessor 314 
and the SCSI interface 318 takes place via the bidirec- 
tional ports of a second transceiver 324. The Supen/isor 
also includes Its own Read Only Memory (ROM) 326, 
holding a Supervisor Operating System and a control 
program, and Random Access Memory (RAM) 328, 
which Is a scratch memory used to hold parameters. Re- 
set logic 330 is also provided, and is used for clearing 
the PC memory if and when an attempt is made to per- 
form an operation prohibited by the Supen^isor. 

Referring to Figure 8 there Is shown a schematic 
diagram of an actual embodiment of the Supervisor with 
the Integers numbered Identically to those of Fig 7. 

The embodiments of Fig 8 further includes the fol- 
lowing components: Gate Array Logic (GAL) devices 
G1-G5; buffers B1. 82; and flip-flops 74,1(1). 74,1(2) 
and 74.2(2). 

The function of these components is as follows. G1 
maps the ROM BIOS into the IBM memory map, and 
also provides tristate connection of the output of flip-flop 
74,2(2) to the IBM data bus. 

G2 provides access by the IBM to a subset of the 
SCSI controller's internal registers by mapping them In- 
to the IBM I/O space. G2 further provides pseudo-DMA 
decoding logic for data transfer to^rom the SCSI con- 
troller, and maps a flag, ie. flip-flop 74,2(2) and latch PI 
into the IBM I/O space. 

G3 multiplexes between the Supen^isor and IBM 
address buses, to the SCSI controller address bus. 

G4 multiplexes between the Supervisor and IBM 
control lines to the SCSI controller. G4 also enables ei- 
ther (but never both) transceiver T1 , T2, and includes 
logic for possible wait state during data transfers be- 
tween the IBM and the SCSI controller. 

G5 maps all ports In the Supervisor I/O space: 
Latches P1, P2, SCSI reset line and flip-flops 74,1(2) 
and 74,2(2). G5 further maps ROM into the Supervisor 
memory map, and provides tristate connection of output 
of flip-flop 74,2(2) to the Supervisor data bus. 

The buffers B1 . B2 ensure that there can be only 
one gate draining current from the IBM Backplane for 
each of the address, lOR and lOW lines. 

Flip-flop 74, 1 (1 ) divides the clock frequency by two 
and squares up the pulses. Dependent on the output of 
74, 1 (2), either the IBM has access (restricted) or the Su- 
pen/isor has access, to the SCSI controller. 



74,2(1 ) provides part of the timing for wait state gen- 
eration during SCSI date transfer, while 74,2(2) is a flag 
to indicate that a data byte has been sent by the IBM for 
the attention of the Supen/isor 
5 The components of the embodiment of Fig 4 are as 
follows. GAL'S G1-G5 are of the type SCS Thomson 
GAL 16V8-15ns; flip-flops 74,1(1). 74,1(2), 74,2(1) and 
74,2(2) are of the type 74ALS74; buffers B1, B2 are 
74ALS244's; latches PI ; P2 are 74ALS373's; transceiv- 
ers T1, T2 are 74F245's; the processors 14 is a Zilog 
Z84C50 (10MHz); the ROM 12 a 2764A (8k X 8); and 
the SCSI controller 18 a NCR 5380. 

Inspection of Fig 8 clearly shows that a virus can 
never interfere with the Supen/lsor microprocessor 314 
since it Is only able to fetch executable code from its own 
ROM 326. 

A more detailed description of the embodiment of 
the Supen^isor shown in Fig 8 is not given herein, as this 
would be within the normal undertaking of a person 
skilled art. 

The embodiments of the present invention herein- 
before are given by way of example only and are not 
meant to limit the scope thereof in any way. 

It should be appreciated that the present invention 
seeks to alleviate the problems hereinbefore outlined in 
the prior art with little penalty in terms of storage or per- 
formance overhead. This invention allows a "Super- 
vised" user full read and write access to the boot parti- 
tion, whilst ensuring at the start of each session on the 
computer system that the boot partition is clean, virus- 
free and unmodified. This addresses the problems out- 
lined above, whiles allowing maintenance of the com- 
plete virus protection disclosed in PCT/GB91/00261 . 

It may be envisaged that a user may wish to main- 
tain changes between sessions. In that case, the user 
could create a batch file which stores the altered files in 
the active partition, prior to shutdown. At the start of the 
new session these files could replace the originals in the 
WMR partitions. 



Claims 

1. A method of controlling access to and modification 
of information stored on a storage medium forming 
part of a computer system comprising: 

dividing information stored on the storage me- 
dium into a plurality of non-overlapping partitions in- 
cluding a boot partition and at least one general par- 
tition, 

characterised by 

designating at least one of said partitions a 
Write Many Recoverable (WMR) partition wherein, 
in use. If a write command is issued to ovenwrite any 
resident information stored in aAhe WMR partition 
by updated information, the updated information is 
written on the storage medium in a location other 
than where any resident information is stored and 
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a (virtual) pointer to the updated information is set 
up/kept so that the updated information can be ac- 
cessed, as required during a remainder of a ses- 
sion. 

2. A method as claimed in claim 1 , wherein a system 
reset causes the updated infomiation, together with 
the list of pointers to this information, to be cleared. 
Thereby returning the WMR partition to it's original 
state. 

3. A method as claimed in any preceding claim, where- 
in a boot partition on the storage medium Is desig- 
nating a WMR partition. 

4. A method as claimed in any preceding claim, where- 
in a general partition Is designated a WMR partition. 

5. A method as claimed in any preceding claim, where- 
in there is also provided supervising means (a Su- 
pervisor) separate of a central processing unit 
(CPU) of the computer system and made inacces- 
sible to the user. 

said supervising means allowing/restricting/ 
prohibiting read/write operations uopon the 
storage medium depending upon whether in- 
formation to be read from a sector or written to 
a sector is operating system Information or user 
information, whether the sector is in the boot 
partition or in a general partition, and whether 
the partition is active or inactive, 
said supervising means also allowing a format 
operation only on a general partition which is 
active and prohibiting a format operation on the 
boot partition or on a general partition which is 
inactive, 

and causing a warning to be issued to the user 
should an attempt be made to perform a pro- 
hibited read, write or format operation. 

6. A method as claimed in claim 5, wherein space Is 
resen/ed on the storage medium which is accessed 
only by the Supervisor, referred to as a dedicated 
area. 

7. A method as claimed in claim 6, wherein the dedi- 
cated area is a special partition, a range of sectors 
within the WMR partition, or unallocated sectors 
withing a dormant partition. 

8. A method as claimed in any preceding claim, where- 
in each WMR partition has a Sector Relocation Ta- 
ble (SRT) associated with it which table is held a 
Random Access Memory (RAM) of the Supervisor, 
each entry in a SRT defining the address of a range 
of sectors in the WMR partition that have been up- 
dated and an address where the updated informa- 



tion is located, this location being within the dedi- 
cated area. 

9. An apparatus for controlling access to and modlfi- 
s cation of information stored on a storage medium 

of a computer system, the storage medium being 
divided into a plurality of non-overlapping partitions 
including a boot partition and at least one general 
partition, 

10 characterised In that 

at least one of said partitions comprises a 
Write Many Recoverable (WMR) partition wherein, 
in use, if a write command is issued to ovenA^rlte (ie, 
update) any information stored in the WMR partition 

IS the updated information is stored elsewhere on the 
storage medium and a (virtual) pointer to the updat- 
ed information kept so the updated information can 
be accessed as required during the remainder of 
the session, wherein a system reset causes the up- 

20 dated Information, together with the list of pointers 
to the updated information, to be cleared. 

10. An apparatus according to claim 9, wherein the ap- 
paratus further comprises a supen^ising means (a 

25 Supervisor) separate of a central processing unit 
(CPU) of the computer system and made inacces- 
sible to the user, 

said supen^ising means ailowlng/restricting/ 
30 prohibiting read/write operations upon the stor- 

age medium depending upon whether informa- 
tion to be read from a sector or written to a sec- 
tor is operating system Information or user in- 
formation, whether the sector is In the boot par- 
55 titton or in a general partition and whether if the 

partition is a general partition the partition is ac- 
tive or inactive, 

said supervising means also allowing a format 
operation only on a general partition which iSs 
40 active and prohibiting a format operation on the 

boot partition or on a general partition which is 
inactive, 

the supervising means causes a warning to be 
issued to the user should an attempt be made 
45 to perform a prohibited read, write or format op- 

eration said operation being prevented by the 
Supervisor. 

11. A method of controlling access to and modification 
50 of information stored on a storage medium forming 

part of a computer system comprising: 

dividing information stored on the storage me- 
dium into a plurality of non-overlapping parti- 
55 tions including a boot partition and at least one 

general partition, 
characterised by 

designating at least one of said partitions a 
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Write Many Recoverable (WMR) partition 
wherein, in use, if a write command is issued to 
ovenwrite any information stored in a/the WMR 
partition prior to undertaking said write com- 
mand said Information is copied and stored 
elsewlnere on the storage medium to be copied 
bacl< to said WMR partition when required - for 
example upon a system reset. 

12. A method as claimed in claim 11 , wherein a super- 
vising means (a Supervisor) separate of a central 
processing unit (CPU) of the computer system for 
controlling the performance of read, write and for- 
mat operations upon the information stored on the 
storage medium so as to allow, restrict or prevent 
such operatbns depending upon the type of infor- 
mation stored within a sector and type and status 
of the partition within which the sector is located, 

the supervising means causing a reset to be 
required of the computer system should an attempt 
be made to perform a prohibited read, write or for- 
mat operation, said reset causing memory to be 
cleared and the operating system to be loaded. 

13. A method as claimed In claim 11 or 12, wherein the 
storage medium provides a special partition (Virus 
Isolation Space), each WMR partition having a File 
Allocation Table (FAT) allocated to it which table is 
held in said special partition, each entry In a FAT 
defining the address of a cluster that has been al- 
tered in the WMR partition and the address of the 
copy of the information originally held in said cluster. 

14. A method as claimed in claim 13, wherein the infor- 
mation originally held in said cluster is copied to the 
special partition. 

15. A method as claimed in claim 1 3, wherein the infor- 
mation originally held in said cluster may be copied 
to an inactive partition. 

16. An apparatus for controlling access to and modifi- 
cation of information stored on a storage medium 
of a computer system, the storage medium being 
divided into a plurality of non -overlapping partitions 
including a boot partition and at least one general 
partition, 

characterised fn that 

at least one of said partitions comprises a 
Write Many Recoverable (WMR) partition wherein, 
in use, if a write command Is issued to overwrite any 
information stored in a/the WMR partition prior to 
undertaking said write command said information is 
copied and stored elsewhere on the storage medi- 
um to be copied back to said WMR partition when 
required • for example upon a system reset. 

17. An apparatus as claimed in claim 16, wherein a su- 



pen/ising means (a Supervisor) separate of a cen- 
tral processing unit (CPU) of the computer system 
for controlling the performance of read, write or for- 
mat operations stored on the storage medium so as 
5 to altow, restrict or prevent such operations depend- 
ing upon the type of information stored within a sec- 
tor and the type and status of the partition within 
which the sector is located wherein, in use, the su- 
pen/ising means causes a reset to be required of 
TO the computer system should an attempt be made to 
perform a prohibited read, write or format operation. 

18. A method as claimed in claim 1 or 11 , wherein read 
operations are allowed on any information in the 

IS boot partition, but an attempt to write or format the 
boot partition causes a system reset. 

19. A method as claimed in claim 1 8, wherein boot sec- 
tors of the storage medium are considered to be 

20 part of the boot partition, irrespective of the position 
of the starting sector of the boot partition as may be 
defined by the storage medium operating system. 

20. A method as claimed In claim 18 or 19, wherein 
25 reading of any operating system information sec- 
tors or user-generated information sectors in an ac^ 
live general partition may be allowed, writing to 
such user-generated information sectors are al- 
lowed, and writing to such operating system infor- 

30 nation sectors are restricted such that an attempt 
to modify the size or boundaries of the partition 
causes a system reset. 

21 . A method as claimed in claim 1 8 or 1 9, wherein only 
55 the reading of information from operating system 

sectors of inactive general partitions are allowed, 
and an attempt to perform any other read, write or 
format operations on such partitions may be either 
denied or causes a system reset. 

40 

22. A method as claimed in claim 21, wherein the re- 
striction or prevention of the performance of read, 
write and format operations can be removed to al- 
low set-up or maintenance of the storage medium 

45 and thereafter reinstated. 

23. A method as claimed in claims 1 or 11 , wherein the 
storage medium may be selected from any one of 
a hard disk, a floppy disk, an optical disk or a tape. 

so 

24. A method as claimed in claims 1 or 11 , wherein the 
storage medium is a filesaver. and the computer 
system is a local area network, and which user com- 
puter is using which partition of the filesen/er may 

55 be determined such that an attempt by a user com- 
puter to perform a prohibited operation causes a re- 
set to be required of the user computer. 
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25. The apparatus as claimed in claims 11 or 1 6, where- 
in provides hardware means adapted to be Incor- 
porated into the computer system. 

26. An apparatus as claimed in claims 9 or 16, wherein s 
the apparatus provides firmware means adapted to 

be incorporated into the computer system. 

27. An apparatus as claimed in claims 9 or 16. wherein 

the apparatus provides a combination of both hard- io 
ware and firmware means, both being adapted to 
be incorporated into the computer system. 

28. An apparatus as claimed in claims 9, 1 0, 1 6 or 1 7, 
wherein there may be provided a processor which is 
may be made inaccessible to a user and to any virus 
and which supervises all data transfers between 
and within subdivisions of the storage medium or 
storage media placed under its control. 

20 

29. A method as claimed in any of claims 1 to 7 or 11 
to 15, wherein a password is entered and stored in 
virus isolation space, the password being capable 
of being later used to allow access to unsupen^ised 
mode. 26 

30. A method as claimed in any of claims 1 to 8 or 1 1 
to 15. wherein the user can create a batch file(s) 
which stores altered filed in an active partition prior 

to shutdown such that at the start of a new session so 
such file(s) can replace the information stored in a/ 
the WMR partrtion(s). 
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User wishes to write to Area *A' of WMR Partition 



Has Area ^A* already been changed this session? 
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Find location of sectors which have 
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ALLOW WRITE 
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User wishes to write to cluster ♦A' of WMR Partition 

1 
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